France’s data regulator CNIL has issued some recommendations for French services that handle health data, as Mediapart first reported. Those services should avoid using American cloud hosting companies altogether, such as Microsoft Azure, Amazon Web Services and Google Cloud.
Those recommandations follow a landmark ruling by Europe’s top court in July. The ruling, dubbed Schrems II, struck down the EU-US Data Privacy Shield. Under the Privacy Shield, companies could outsource data processing from the EU to the US in bulk. Due to concerns over US surveillance laws, that mechanism is no longer allowed.
The CNIL is going one step further by saying that services and companies that handle health data should also avoid doing business with American companies — it’s not just about processing European data in Europe. Once again, this is all about avoiding falling under U.S. regulation and rulings.
The regulator sent those recommendations to one of France’s top courts (Conseil d’État). SantéNathon, a group of organizations and unions, originally notified the CNIL over concerns about France’s Health Data Hub.
France is currently building a platform to store health data at the national level. The idea is to build a hub that makes it easier to study rare diseases and use artificial intelligence to improve diagnoses. It is supposed to aggregate data from different sources and make it possible to share some data with public and private institutions for those specific cases.
The technical choices have been controversial as the French government originally chose to partner with Microsoft and its cloud platform Microsoft Azure.
Microsoft, like many other companies, relies on Standard Contractual Clauses for EU-US data transfers. But the Court of Justice of the EU has made it clear that EU regulators have to intervene if data is being transferred to an unsafe country when